Members of the notorious Scattered Lapsus$ Hunters cybercrime group fell into a cleverly crafted trap and exposed information about their attack servers, Resecurity says.
In early January, the Scattered Lapsus$ Hunters hackers boasted on their Telegram channel about hacking the cybersecurity firm Resecurity and stealing large amounts of data.
The hackers have since removed the post, after learning that they had, in fact, stepped into a trap that Resecurity had been preparing for months.
To catch the attackers in the act, the company’s researchers set up a honeypot containing a large amount of synthetic data, planted a fake account on an underground marketplace for compromised credentials, and then sat back to observe the hackers’ movements.
Resecurity decided to set the trap in November, after noticing that the hackers were probing their publicly facing services and applications for reconnaissance.
They set up the honeypot in an emulated environment, isolated from real assets and closely monitored, planted the honeytrap account on the dark web, and gathered data from open sources to populate the honeypot and make it attractive.
“For synthetic data, we used two different datasets: over 28,000 records impersonating consumers and over 190,000 records of payment transactions, and generated messages. Notably, in both cases, we utilized already known breached data available on the Dark Web and underground marketplaces,” Resecurity said on Christmas Eve.
The data combo, the cybersecurity firm says, was meant to mimic a business application, complete with financial transactions, and the lure was enhanced with chatter referencing outdated logs from 2023.
The initial threat actor activity was observed in November and resumed toward mid-December, when automated tools relying on residential IP proxies were used to dump the synthetic data.
“Between December 12 and December 24, the threat actor made over 188,000 requests attempting to dump synthetic data. During this period, the Resecurity team documented the activity and collaborated with relevant law enforcement authorities and ISPs to share information about it,” Resecurity says.
Monitoring the hackers
By closely observing the hackers’ actions, the cybersecurity firm gathered information on their tactics, techniques, and procedures (TTPs) and identified their server IP addresses (including two in Egypt) following proxy connection failures.
A week after Resecurity published a blog detailing the trap, Scattered Lapsus$ Hunters announced on Telegram that they breached the security firm and stole employee data, chats, logs, and client information.
The hacking group claimed it was aware of Resecurity’s attempt to “social engineer” them, and that they “fully owned” the organization. In fact, it was the other way around.
“The screenshots shared by the threat actors relate to ‘[honeytrap].b.idp.resecurity.com’ (a system emulated with compromised data from the Dark Web and not associated with any actual Resecurity customers) and the Mattermost application, which was provisioned for the honeytrap account ‘Mark Kelly’ around November 2025 for this purpose,” Resecurity notes in a January 3 update.
The cybersecurity firm also notes that the available network intelligence and timestamps gathered from observing the hackers’ actions were used by a law enforcement agency to issue a subpoena request regarding the threat actor.
In addition to identifying the attacker, the researchers linked a Gmail account to a US-based phone number and to a Yahoo account and shared the information with the relevant law enforcement.
Related: CrowdStrike Insider Helped Hackers Falsely Claim System Breach
Related: Extortion Group Leaks Millions of Records From Salesforce Hacks
Related: Scattered Spider Suspect Arrested in US
Related: Security Industry Skeptical of Scattered Spider-ShinyHunters Retirement Claims
